Merge lp:~kgunn72/mir/snappy-packaging-with-secprofile into lp:~mir-team/mir/snappy-packaging
Status: | Work in progress |
---|---|
Proposed branch: | lp:~kgunn72/mir/snappy-packaging-with-secprofile |
Merge into: | lp:~mir-team/mir/snappy-packaging |
Diff against target: |
999 lines (+932/-2) 8 files modified
Makefile (+1/-1) overlay/meta/framework-policy/apparmor/policygroups/client (+6/-0) overlay/meta/framework-policy/seccomp/policygroups/client (+1/-0) overlay/meta/mir.apparmor (+74/-0) overlay/meta/mir.seccomp (+403/-0) overlay/meta/mirdemosvr.apparmor (+45/-0) overlay/meta/mirdemosvr.seccomp (+393/-0) overlay/meta/package.yaml (+9/-1) |
To merge this branch: | bzr merge lp:~kgunn72/mir/snappy-packaging-with-secprofile |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Jamie Strandboge (community) | Needs Fixing | ||
Mir development team | Pending | ||
Review via email: mp+266111@code.launchpad.net |
Commit message
first draft additions to confine the mir snap and client
Description of the change
first draft additions to confine the mir snap and client
used the Qt clock reference app as the means to exercise the mir operation, which my not be exhaustive and other client applications may need to look for AA denials or bad sys calls during debug.
Unmerged revisions
- 26. By kevin gunn
-
final seccomp change
- 25. By kevin gunn
-
seccomp updates for demo of clock app
- 24. By kevin gunn
-
seccomp profile changes, mir launches
- 23. By kevin gunn
-
final aa profile changes, clock example launches
- 22. By kevin gunn
-
apparmor profile updates, mir launching
- 21. By kevin gunn
-
update more aa profile
- 20. By kevin gunn
-
update from trunk
- 19. By kevin gunn
-
update apparmor and seccomp files for mir & better server script
- 18. By kevin gunn
-
mir-comp sec prof updates and add mir-demo-server files
- 17. By kevin gunn
-
first adds of security profile
Things are really coming along! Most of my comments are inline, however I did want to mention that in looking at the mir_demo_server packaging and security policy, I think you can simplify things and have mir_demo_server simply use the default security policy with the @PACKAGE@_client cap. Ie, update the yaml to be:
binaries: bin/mir_ demo_server
- name: mir_demo_server
exec: debs/usr/
caps:
- network-client
- @PACKAGE@_client
Then do: meta/mirdemosvr .apparmor overlay/ meta/mirdemosvr .seccomp
$ rm -f overlay/
Note: framework binaries and services may reference the framework-policy from this snap.